Statutory Issues Related to Investigations

To print the text from this module, select "Print" from the "File" menu.
When you're finished, select "Close" from the "File" menu to return to the course.

Introduction

Now that we have defined the lanes, we will be able to see more clearly how issues relate to each lane. The primary emphasis in this topic will be on the Law Enforcement Official, but effects on system provider and Intelligence community will also be seen. We will also see that the Constitutional authority underlying the warfighter role raises it above statutory law, while deriving boundaries from the Constitution as well.

Objectives

In this topic, we will review various laws involved in the conduct of cybercrime investigations. These laws include the Federal Wiretap Act (FWA), the Electronic Communications Privacy Act (ECPA) (which amended the FWA in Title I and set out the Stored Communications Act in Title II), the Privacy Protection Act, the Pen Register/Trap and Trace Statute, and finally two fairly recent laws that modified several of the above laws, the USA PATRIOT Act and the Homeland Security Act.

Electronic Communications Privacy Act of 1986

Congress enacted the Federal Wiretap Act as part of the Omnibus Crime Control and Safe Streets Act of 1968. It has since been amended many times, including by the Electronic Communications Privacy Act or ECPA. The Wiretap Act is codified 18 U.S.C. Sections 2510 through 2521. This law protects the privacy of wire, oral, and electronic communications. It generally prohibits the interception and use or disclosure of intercepted communications by ANY person unless the interception is conducted in accordance with an exception set out in the law. In its most simple sense, an interception is the capture of the content of a communication while it is in transit. This offense is most commonly charged when a hacker uses a sniffer program to capture passwords as they flow over the network. Note that the protections afforded by this statute are in addition to those already provided under the Fourth Amendment. We will examine this statute in more detail later because it provides some of the most significant limitations on government actions.

Definitions

Here are some critical terms used in relation to the Wiretap Act. Select each term to learn its working definition, extracted from Title 18, Section 2510.

     Wire Communication

     "Wire communication" means any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception (including the use of such connection in a switching station) furnished or operated by any person engaged in providing or operating such facilities for the transmission of interstate or foreign communications or communications affecting interstate or foreign commerce.

     Oral Communication

     "Oral communication" means any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation, but such term does not include any electronic communication.

     Electronic Communication

     "Electronic communication" means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include - (A) any wire or oral communication; (B) any communication made through a tone-only paging device; (C) any communication from a tracking device (as defined in section 3117 of Title 18); or (D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds.

     Intercept

     "Intercept" means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.

     Contents

     The term "contents" include any information concerning the substance, purport, or meaning of that communication.

USA PATRIOT Act Changes to Wiretap Act

The USA PATRIOT Act changed the Wiretap Act by adding a proviso that allows investigative or law enforcement officers, or government attorneys who obtain knowledge of the content of a wiretap to disclose information to other Federal law enforcement, protective, immigration, national defense, or national security officials to the extent that the contents include foreign or counterintelligence information.

Check on Learning

Select the correct response to the question.

Law Enforcement - Banners

Some Government entities placed consent banners on their six or eight most commonly used ports in an attempt to obtain implied consent from trespassers. Unfortunately, since computers have over 65,000 virtual ports, hackers could inevitably penetrate a system through an unbannered port and thereby bind the hands of law enforcement. The USA PATRIOT Act recognized a new exception for intercepting the communications of “computer trespassers.” Thus, law enforcement agents may now generally rely on the consent exception, the computer trespasser exception, or court orders to obtain information necessary to accomplish their investigations.

Matching

Wiretap Summary

We have covered the aspects of the Wiretap Act that are most useful in cyberspace. We mentioned how the USA PATRIOT Act has refocused parts of the Wiretap Act. Next, let's look at some of the details of how the USA PATRIOT Act changed the ways we may deal with computer trespassers.

USA PATRIOT Act - Introduction

This section of the course is closely derived from the Computer Crime and Intellectual Property Section’s "Guidance on New Authorities that Relate to Computer Crime and Electronic Evidence Enacted in the USA PATRIOT Act of 2001." Select one of the links to access the USA PATRIOT Act or its changes.

USA PATRIOT Act - Section 217

Section 217 of the USA PATRIOT Act applies to intercepting the communications of computer trespassers. Although the Wiretap statute allows computer owners to monitor the activity on their machines to protect their rights and property, it was unclear whether computer owners could obtain the assistance of law enforcement in conducting such monitoring. This lack of clarity prevented law enforcement agencies from assisting victims in taking the natural and reasonable steps in their own defense that were entirely legal in the physical world. Section 217 of the Act clarified this situation. Select the link to read Section 217 of the USA PATRIOT Act.

USA PATRIOT Act - Amendment

To correct this problem, the amendments in Section 217 of the Act allow victims of computer attacks to authorize persons "acting under color of law" to monitor trespassers on their computer systems. Under new section 2511(2)(i), those operating in either of two lanes, law enforcement or counterintelligence, may intercept the communications of a computer trespasser transmitted to, through, or from a protected computer. The PATRIOT Act created a definition of "computer trespasser." A trespasser is any person who accesses a protected computer without authorization. The definition explicitly excludes any person "known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator for access to all or part of the computer." Select the link for an example.

Trespasser Example

USA PATRIOT Act - Amendment Requirements

Given that definition, the PATRIOT Act amendment to the Wiretap Act allows the owner or operator of a system to authorize—NOT consent to, but authorize—persons "acting under color of law to intercept wire or electronic communications of a computer trespasser which are transmitted to, through, or from a protected computer" if four requirements are met. The four requirements are set out here. Select a requirement to learn more. These provisions will sunset December 31, 2005.

     Authorization

     Section 2511(2)(i)(I) requires that the owner or operator of the protected computer must authorize the interception of the trespasser’s communications.

     Ongoing Investigation

     Section 2511(2)(i)(II) requires that the person who intercepts the communication be lawfully engaged in an ongoing investigation. Both criminal and intelligence investigations qualify, but the authority to intercept ceases at the conclusion of the investigation.

     Reasonable Grounds

     Section 2511(2)(i)(III) requires that the person acting under color of law have reasonable grounds to believe that the contents of the communication to be intercepted will be relevant to the ongoing investigation.

     Interception Limited to Trespasser

     Section 2511(2)(i)(IV) requires that investigators intercept only the communications sent or received by trespassers. Thus, these sections would only apply where the configuration of the computer system allows the interception of communications to and from the trespasser, and not the interception of non-consenting, authorized users of the computer.

Matching

USA PATRIOT Act Disciplinary Actions

The USA PATRIOT Act added a provision that mandates administrative determination about disciplinary actions against individual Government officers or employees when the court finds individuals or agencies appear to have violated the wiretap statute intentionally. If the determination is made that disciplinary action is not warranted, the service IG must be notified and the reason provided.

Extraterritorial Application

There is no extraterritorial application of the Wiretap Act. When seeking authority to conduct a wiretap overseas, Department of Defense and service regulations, as well as the applicable Status of Forces Agreement, or SOFA, host nation, and international law apply.

Check on Learning

Select the correct response to the question.

Stored Wire and Electronic Communications

18 U. S. Code, Sections 2701 through 2711 limit the disclosure of the contents of stored electronic communication, subscriber information, and transaction information. These limits apply to the provider of electronic communication service to the public or remote computing service. The law also establishes the requirements for government access to that information. Select the link to learn more.

Definitions

There are three important terms used in the Stored Wire and Communications Statute - Electronic Communication Service Provider, Remote Computing Service, and Electronic Storage. Select each term to learn more.

     Electronic Communication Service Provider

     An electronic communication service provider supplies users with the ability to send or receive wire or electronic communications. Some examples of these providers include the Army, America Online, a university, or a corporation. Note that some portions of the ECPA, notably section 2702, apply only to entities "providing an electronic communication service TO THE PUBLIC." DoD entities do not, as a rule, provide electronic communication service to the public.

     Remote Computing Service

     A remote computing service provides computer storage or data processing services to the public by means of an electronic communications system. Examples include those who provide to the public, record storage or payroll processing services. Again, because DoD entities generally do not provide such services to the public, DoD entities would generally not be classified as remote computing services.

     Electronic Storage

     Electronic storage is any temporary, intermediate storage of a wire or electronic communication incidental to transmission.

Check on Learning

Select the correct response to the question.

Disclosure of Stored Communications Limitations

An Electronic Communication Service Provider may disclose the contents of stored communications to specified parties under certain conditions. They may be disclosed to the addressee or intended recipient, or to others with the consent of the originator or addressee. They may be disclosed as provided by law. Communications may be disclosed as necessary to keep service going or protect the rights or property of the provider. Stored communications may also be disclosed to law enforcement if the contents were inadvertently obtained and appear to pertain to a crime. Records or other information pertaining to a customer, known as “transaction records,” may be disclosed to any person other than a Governmental entity. Additionally, and very importantly, because DoD is not a public service provider, it may generally share such types of information with appropriate government officials merely by obtaining the consent of the service provider.

Government Access

Roll over each type of information to find out how the government can obtain access to it.

Again, because DoD is not a public service provider, it may generally share such types of information with appropriate government officials merely by obtaining the consent of the service provider. As to stored communications, the DoD service provider would generally also have to overcome potential Fourth Amendment issues and fit within an exception to the Federal Wiretap Act, for undelivered mail. These were covered in earlier sections.

Some Details of Disclosure

A provider is required to preserve information at the request of law enforcement, even if a legal instrument requiring disclosure is not immediately available. Warrants and court orders for disclosure must be issued by a Federal District Court judge or magistrate, not by a military judge.

USA PATRIOT Act - Stored Wire & Electronic Communications

The USA PATRIOT Act amended the Stored Wire & Electronic Communications Act to clarify ONE of the exceptions dealing with when a public provider can voluntarily disclose customer communications. Disclosure of contents can occur if there is reasonable belief that an emergency involving immediate danger of death or serious physical injury to a person requires disclosure without delay.

USA PATRIOT Act Changes to Disclosure

The USA PATRIOT Act allows records or other information about a customer to be disclosed when it is authorized by statute, through the legal process, with the consent of the customer; when necessary to keep service going or to protect the rights or property of the provider; and to the government, if there is reasonable belief that an emergency involving immediate danger of death or serious physical injury to a person requires disclosure.

Other USA PATRIOT Act Changes

Nationwide warrants for the contents of stored communications are now permitted. The USA PATRIOT Act added a disciplinary action provision similar to the one discussed under the wiretap statute. It also permits civil actions against the United States for willful violations of the statute.

Privacy Protection Act Limitations

The Privacy Protection Act protects work product or documentary material if there is reasonable belief the person is going to disseminate it in public communication in or affecting interstate or foreign commerce. The exception to this occurs when there is probable cause to believe the person has committed a crime to which those materials relate.

Privacy Protection Act Details

Information cannot be seized without prior approval of the Deputy Assistant Attorney General. There is strict civil liability if this statute is violated. Other exceptions, as in the case of contraband material, exist.

Check on Learning

Select the correct response to the question.

International Limitations

An investigation could lead to a foreign Internet service provider, or to a foreign suspect. U.S. laws for obtaining information are ineffective overseas. You will that find the NATO Status of Forces Agreement does not cover this either. Possible solutions include requesting assistance under a Mutual Legal Assistance Treaty, or MLAT, or through a Letter Rogatory. These are lengthy processes, taking six months or more. They typically involve the highest levels of service attorneys, Departments of Justice and State, U.S. and foreign judiciaries, foreign government offices, foreign law enforcement officials, embassy personnel, foreign Internet service providers, and others.

Joint Ethics Regulation

The Joint Ethics Regulation lists rules for acceptable use of government resources. It allows the use of Government telecommunications resources if there is a policy in place and if there is a limited burden on the system. Personal use of Government-provided Internet is permitted when authorized. See DoD Directive 5500.7-R for further details. Consult with your supervisor or chain of command for additional details on whether this may be implemented within your service or agency.

Joint Ethics Regulation - Monitoring

The Joint Ethics Regulation states, "DoD employees shall use Federal Government communications systems with the understanding that such use serves as consent to monitoring of any type of use, including incidental and personal uses, whether authorized or unauthorized."

Homeland Security Act

The Homeland Security Act amended the Federal Wiretap Act by adding two new bases for disclosure and use of intercepted communications at 18 U.S.C. §2517. Please read the content of sections (7) and (8) on your screen. Continue through the course when you have finished.

Homeland Security Act (contd.)

The Homeland Security Act also amended the Pen Registers and Trap and Trace Devices Statute by adding two new bases for an emergency pen/trap installation. The first recognized a new exception for an immediate threat to a national security interest. The second recognized a new exception for an ongoing attack on a protected computer (as defined in Section 1030) that constitutes a crime punishable by a term of imprisonment greater than one year. See 18 U.S.C. Section 3125 for additional details on all of the emergency exceptions.

Check on Learning

Select the correct response to the question.

Pen Register/Trap & Trace Statute Introduction

Two other devices that can be helpful in determining the source of a cyber intrusion or the perpetrator of a cybercrime are the pen register and the trap and trace device. The sections of the U.S. Code pertaining to the use of these devices are set out as hyperlinks on the screen. DoD’s implementation of these sections, DoD Directive 5505.9, is also hyperlinked. In the next few screens, we will provide you with a brief overview of some of the legal issues related to pen/trap and trace devices.

Pen Register/Trap & Trace Device

In rough terms, a pen register records outgoing addressing information, such as a number dialed from a monitored telephone. A trap and trace device records incoming addressing information, such as caller ID information. For our purposes pen/trap and trace devices are used to gather header information from computer communications. There were a few isolated cases that held the language of the Pen Register/Trap and Trace statute did not properly encompass computer communications. The USA PATRIOT Act authoritatively overruled such holdings.

Pen/Trap for Providers

The use of a pen/trap device generally requires a court order. But just as with the Federal Wiretap Act, there are several exceptions. The Pen/Trap statute states that providers may use pen/trap devices without a court order when (1) relating to the operation, maintenance, and testing of a wire or electronic communication service or to the protection of the rights or property of such provider, or to the protection of users of that service from abuse of service or unlawful use of service; or (2) to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire communication, or a user of that service, from fraudulent, unlawful or abusive use of service; or (3) where the consent of the user of that service has been obtained. The first and third exceptions, setting out the service provider and consent exceptions, are the most important for our purposes.

Consent Exception

The consent exception is especially important when one wants to use a pen/trap device on a government phone or computer. The Designated Approving Authority is generally deemed to be the owner of the phones under his or her jurisdiction. Thus, DAAs can provide consent for non-residential government phones under their jurisdiction. Ensure you follow your Service or Agency guidelines on obtaining appropriate approvals for the use of pen/trap devices for a law enforcement or counterintelligence purpose under the consent exception.

Court Orders

Where no exception to the Pen/Trap statute exists, law enforcement and counterintelligence agents must generally obtain court orders. The legal standard for obtaining a pen/trap order is a fairly low one. Consult the statute for details, but also ensure you follow your Service or Agency guidelines. In some cases those guidelines elevate the legal standard otherwise required by law.

Check on Learning

Select the correct response to the question.

Summary

In this topic, we have addressed the statutory limits on investigations imposed by the Wiretap Act, the Electronic Communications Privacy Act, the Privacy Protection Act and the Pen Register/Trap and Trace Statute. We also reviewed changes effected by the USA PATRIOT Act and the Homeland Security Act. Now we will turn to some issues related to the First Amendment and intellectual property law.